1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "android.hardware.security.keymint-impl"
18 #include <android-base/logging.h>
19
20 #include "AndroidKeyMintDevice.h"
21
22 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
23
24 #include <keymaster/android_keymaster.h>
25 #include <keymaster/contexts/pure_soft_keymaster_context.h>
26 #include <keymaster/keymaster_configuration.h>
27
28 #include "AndroidKeyMintOperation.h"
29 #include "KeyMintUtils.h"
30
31 namespace aidl::android::hardware::security::keymint {
32
33 using namespace keymaster; // NOLINT(google-build-using-namespace)
34
35 using km_utils::authToken2AidlVec;
36 using km_utils::kmBlob2vector;
37 using km_utils::kmError2ScopedAStatus;
38 using km_utils::kmParam2Aidl;
39 using km_utils::KmParamSet;
40 using km_utils::kmParamSet2Aidl;
41 using km_utils::legacy_enum_conversion;
42 using secureclock::TimeStampToken;
43
44 namespace {
45
convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,const AuthorizationSet & requestParams,const AuthorizationSet & sw_enforced,const AuthorizationSet & hw_enforced,bool include_keystore_enforced=true)46 vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,
47 const AuthorizationSet& requestParams,
48 const AuthorizationSet& sw_enforced,
49 const AuthorizationSet& hw_enforced,
50 bool include_keystore_enforced = true) {
51 KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}};
52
53 if (keyMintSecurityLevel != SecurityLevel::SOFTWARE) {
54 // We're pretending to be TRUSTED_ENVIRONMENT or STRONGBOX.
55 keyMintEnforced.authorizations = kmParamSet2Aidl(hw_enforced);
56 if (include_keystore_enforced && !sw_enforced.empty()) {
57 // Put all the software authorizations in the keystore list.
58 KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE,
59 kmParamSet2Aidl(sw_enforced)};
60 return {std::move(keyMintEnforced), std::move(keystoreEnforced)};
61 } else {
62 return {std::move(keyMintEnforced)};
63 }
64 }
65
66 KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}};
67 CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint";
68
69 // This is a pure software implementation, so all tags are in sw_enforced.
70 // We need to walk through the SW-enforced list and figure out which tags to
71 // return in the software list and which in the keystore list.
72
73 for (auto& entry : sw_enforced) {
74 switch (entry.tag) {
75 /* Invalid and unused */
76 case KM_TAG_ECIES_SINGLE_HASH_MODE:
77 case KM_TAG_INVALID:
78 case KM_TAG_KDF:
79 case KM_TAG_ROLLBACK_RESISTANCE:
80 CHECK(false) << "We shouldn't see tag " << entry.tag;
81 break;
82
83 /* Unimplemented */
84 case KM_TAG_ALLOW_WHILE_ON_BODY:
85 case KM_TAG_BOOTLOADER_ONLY:
86 case KM_TAG_ROLLBACK_RESISTANT:
87 case KM_TAG_STORAGE_KEY:
88 break;
89
90 /* Keystore-enforced if not locally generated. */
91 case KM_TAG_CREATION_DATETIME:
92 // A KeyMaster implementation is required to add this tag to generated/imported keys.
93 // A KeyMint implementation is not required to create this tag, only to echo it back if
94 // it was included in the key generation/import request.
95 if (requestParams.Contains(KM_TAG_CREATION_DATETIME)) {
96 keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
97 }
98 break;
99
100 /* Disallowed in KeyCharacteristics */
101 case KM_TAG_APPLICATION_DATA:
102 case KM_TAG_ATTESTATION_APPLICATION_ID:
103 break;
104
105 /* Not key characteristics */
106 case KM_TAG_ASSOCIATED_DATA:
107 case KM_TAG_ATTESTATION_CHALLENGE:
108 case KM_TAG_ATTESTATION_ID_BRAND:
109 case KM_TAG_ATTESTATION_ID_DEVICE:
110 case KM_TAG_ATTESTATION_ID_IMEI:
111 case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
112 case KM_TAG_ATTESTATION_ID_MANUFACTURER:
113 case KM_TAG_ATTESTATION_ID_MEID:
114 case KM_TAG_ATTESTATION_ID_MODEL:
115 case KM_TAG_ATTESTATION_ID_PRODUCT:
116 case KM_TAG_ATTESTATION_ID_SERIAL:
117 case KM_TAG_AUTH_TOKEN:
118 case KM_TAG_CERTIFICATE_SERIAL:
119 case KM_TAG_CERTIFICATE_SUBJECT:
120 case KM_TAG_CERTIFICATE_NOT_AFTER:
121 case KM_TAG_CERTIFICATE_NOT_BEFORE:
122 case KM_TAG_CONFIRMATION_TOKEN:
123 case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
124 case KM_TAG_IDENTITY_CREDENTIAL_KEY:
125 case KM_TAG_INCLUDE_UNIQUE_ID:
126 case KM_TAG_MAC_LENGTH:
127 case KM_TAG_NONCE:
128 case KM_TAG_RESET_SINCE_ID_ROTATION:
129 case KM_TAG_ROOT_OF_TRUST:
130 case KM_TAG_UNIQUE_ID:
131 case KM_TAG_MODULE_HASH:
132 break;
133
134 /* KeyMint-enforced */
135 case KM_TAG_ALGORITHM:
136 case KM_TAG_APPLICATION_ID:
137 case KM_TAG_AUTH_TIMEOUT:
138 case KM_TAG_BLOB_USAGE_REQUIREMENTS:
139 case KM_TAG_BLOCK_MODE:
140 case KM_TAG_BOOT_PATCHLEVEL:
141 case KM_TAG_CALLER_NONCE:
142 case KM_TAG_DIGEST:
143 case KM_TAG_EARLY_BOOT_ONLY:
144 case KM_TAG_EC_CURVE:
145 case KM_TAG_EXPORTABLE:
146 case KM_TAG_KEY_SIZE:
147 case KM_TAG_MAX_USES_PER_BOOT:
148 case KM_TAG_MIN_MAC_LENGTH:
149 case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
150 case KM_TAG_NO_AUTH_REQUIRED:
151 case KM_TAG_ORIGIN:
152 case KM_TAG_OS_PATCHLEVEL:
153 case KM_TAG_OS_VERSION:
154 case KM_TAG_PADDING:
155 case KM_TAG_PURPOSE:
156 case KM_TAG_RSA_OAEP_MGF_DIGEST:
157 case KM_TAG_RSA_PUBLIC_EXPONENT:
158 case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
159 case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
160 case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
161 case KM_TAG_USER_AUTH_TYPE:
162 case KM_TAG_USER_SECURE_ID:
163 case KM_TAG_VENDOR_PATCHLEVEL:
164 keyMintEnforced.authorizations.push_back(kmParam2Aidl(entry));
165 break;
166
167 /* Keystore-enforced */
168 case KM_TAG_ACTIVE_DATETIME:
169 case KM_TAG_ALL_APPLICATIONS:
170 case KM_TAG_ALL_USERS:
171 case KM_TAG_MAX_BOOT_LEVEL:
172 case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
173 case KM_TAG_USAGE_EXPIRE_DATETIME:
174 case KM_TAG_USER_ID:
175 case KM_TAG_USAGE_COUNT_LIMIT:
176 keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
177 break;
178 }
179 }
180
181 vector<KeyCharacteristics> retval;
182 retval.reserve(2);
183 if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced));
184 if (include_keystore_enforced && !keystoreEnforced.authorizations.empty()) {
185 retval.push_back(std::move(keystoreEnforced));
186 }
187
188 return retval;
189 }
190
convertCertificate(const keymaster_blob_t & cert)191 Certificate convertCertificate(const keymaster_blob_t& cert) {
192 return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)};
193 }
194
convertCertificateChain(const CertificateChain & chain)195 vector<Certificate> convertCertificateChain(const CertificateChain& chain) {
196 vector<Certificate> retval;
197 retval.reserve(chain.entry_count);
198 std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate);
199 return retval;
200 }
201
addClientAndAppData(const std::vector<uint8_t> & appId,const std::vector<uint8_t> & appData,::keymaster::AuthorizationSet * params)202 void addClientAndAppData(const std::vector<uint8_t>& appId, const std::vector<uint8_t>& appData,
203 ::keymaster::AuthorizationSet* params) {
204 params->Clear();
205 if (appId.size()) {
206 params->push_back(::keymaster::TAG_APPLICATION_ID, appId.data(), appId.size());
207 }
208 if (appData.size()) {
209 params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size());
210 }
211 }
212
213 } // namespace
214
215 constexpr size_t kOperationTableSize = 16;
216
AndroidKeyMintDevice(SecurityLevel securityLevel)217 AndroidKeyMintDevice::AndroidKeyMintDevice(SecurityLevel securityLevel)
218 : impl_(new(std::nothrow)::keymaster::AndroidKeymaster(
219 [&]() -> auto {
220 auto context = new (std::nothrow) PureSoftKeymasterContext(
221 KmVersion::KEYMINT_4, static_cast<keymaster_security_level_t>(securityLevel));
222 context->SetSystemVersion(::keymaster::GetOsVersion(),
223 ::keymaster::GetOsPatchlevel());
224 context->SetVendorPatchlevel(::keymaster::GetVendorPatchlevel());
225 // Software devices cannot be configured by the boot loader but they have
226 // to return a boot patch level. So lets just return the OS patch level.
227 // The OS patch level only has a year and a month so we just add the 1st
228 // of the month as day field.
229 context->SetBootPatchlevel(GetOsPatchlevel() * 100 + 1);
230 auto digest = ::keymaster::GetVbmetaDigest();
231 if (digest) {
232 std::string bootState = ::keymaster::GetVerifiedBootState();
233 std::string bootloaderState = ::keymaster::GetBootloaderState();
234 context->SetVerifiedBootInfo(bootState, bootloaderState, *digest);
235 } else {
236 LOG(ERROR) << "Unable to read vb_meta digest";
237 }
238 return context;
239 }(),
240 kOperationTableSize)),
241 securityLevel_(securityLevel) {}
242
~AndroidKeyMintDevice()243 AndroidKeyMintDevice::~AndroidKeyMintDevice() {}
244
getHardwareInfo(KeyMintHardwareInfo * info)245 ScopedAStatus AndroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
246 info->versionNumber = 4;
247 info->securityLevel = securityLevel_;
248 info->keyMintName = "FakeKeyMintDevice";
249 info->keyMintAuthorName = "Google";
250 info->timestampTokenRequired = false;
251 return ScopedAStatus::ok();
252 }
253
addRngEntropy(const vector<uint8_t> & data)254 ScopedAStatus AndroidKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
255 if (data.size() == 0) {
256 return ScopedAStatus::ok();
257 }
258
259 AddEntropyRequest request(impl_->message_version());
260 request.random_data.Reinitialize(data.data(), data.size());
261
262 AddEntropyResponse response(impl_->message_version());
263 impl_->AddRngEntropy(request, &response);
264
265 return kmError2ScopedAStatus(response.error);
266 }
267
generateKey(const vector<KeyParameter> & keyParams,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)268 ScopedAStatus AndroidKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
269 const optional<AttestationKey>& attestationKey,
270 KeyCreationResult* creationResult) {
271
272 GenerateKeyRequest request(impl_->message_version());
273 request.key_description.Reinitialize(KmParamSet(keyParams));
274 if (attestationKey) {
275 request.attestation_signing_key_blob =
276 KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
277 request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
278 request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
279 attestationKey->issuerSubjectName.size());
280 }
281
282 GenerateKeyResponse response(impl_->message_version());
283 impl_->GenerateKey(request, &response);
284
285 if (response.error != KM_ERROR_OK) {
286 // Note a key difference between this current aidl and previous hal, is
287 // that hal returns void where as aidl returns the error status. If
288 // aidl returns error, then aidl will not return any change you may make
289 // to the out parameters. This is quite different from hal where all
290 // output variable can be modified due to hal returning void.
291 //
292 // So the caller need to be aware not to expect aidl functions to clear
293 // the output variables for you in case of error. If you left some
294 // wrong data set in the out parameters, they will stay there.
295 return kmError2ScopedAStatus(response.error);
296 }
297
298 creationResult->keyBlob = kmBlob2vector(response.key_blob);
299 creationResult->keyCharacteristics = convertKeyCharacteristics(
300 securityLevel_, request.key_description, response.unenforced, response.enforced);
301 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
302 return ScopedAStatus::ok();
303 }
304
importKey(const vector<KeyParameter> & keyParams,KeyFormat keyFormat,const vector<uint8_t> & keyData,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)305 ScopedAStatus AndroidKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
306 KeyFormat keyFormat, const vector<uint8_t>& keyData,
307 const optional<AttestationKey>& attestationKey,
308 KeyCreationResult* creationResult) {
309
310 ImportKeyRequest request(impl_->message_version());
311 request.key_description.Reinitialize(KmParamSet(keyParams));
312 request.key_format = legacy_enum_conversion(keyFormat);
313 request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size());
314 if (attestationKey) {
315 request.attestation_signing_key_blob =
316 KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
317 request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
318 request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
319 attestationKey->issuerSubjectName.size());
320 }
321
322 ImportKeyResponse response(impl_->message_version());
323 impl_->ImportKey(request, &response);
324
325 if (response.error != KM_ERROR_OK) {
326 return kmError2ScopedAStatus(response.error);
327 }
328
329 creationResult->keyBlob = kmBlob2vector(response.key_blob);
330 creationResult->keyCharacteristics = convertKeyCharacteristics(
331 securityLevel_, request.key_description, response.unenforced, response.enforced);
332 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
333
334 return ScopedAStatus::ok();
335 }
336
337 ScopedAStatus
importWrappedKey(const vector<uint8_t> & wrappedKeyData,const vector<uint8_t> & wrappingKeyBlob,const vector<uint8_t> & maskingKey,const vector<KeyParameter> & unwrappingParams,int64_t passwordSid,int64_t biometricSid,KeyCreationResult * creationResult)338 AndroidKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData, //
339 const vector<uint8_t>& wrappingKeyBlob, //
340 const vector<uint8_t>& maskingKey, //
341 const vector<KeyParameter>& unwrappingParams, //
342 int64_t passwordSid, int64_t biometricSid, //
343 KeyCreationResult* creationResult) {
344
345 ImportWrappedKeyRequest request(impl_->message_version());
346 request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
347 request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
348 request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
349 request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
350 request.password_sid = static_cast<uint64_t>(passwordSid);
351 request.biometric_sid = static_cast<uint64_t>(biometricSid);
352
353 ImportWrappedKeyResponse response(impl_->message_version());
354 impl_->ImportWrappedKey(request, &response);
355
356 if (response.error != KM_ERROR_OK) {
357 return kmError2ScopedAStatus(response.error);
358 }
359
360 creationResult->keyBlob = kmBlob2vector(response.key_blob);
361 creationResult->keyCharacteristics = convertKeyCharacteristics(
362 securityLevel_, request.additional_params, response.unenforced, response.enforced);
363 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
364
365 return ScopedAStatus::ok();
366 }
367
upgradeKey(const vector<uint8_t> & keyBlobToUpgrade,const vector<KeyParameter> & upgradeParams,vector<uint8_t> * keyBlob)368 ScopedAStatus AndroidKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
369 const vector<KeyParameter>& upgradeParams,
370 vector<uint8_t>* keyBlob) {
371
372 UpgradeKeyRequest request(impl_->message_version());
373 request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
374 request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
375
376 UpgradeKeyResponse response(impl_->message_version());
377 impl_->UpgradeKey(request, &response);
378
379 if (response.error != KM_ERROR_OK) {
380 return kmError2ScopedAStatus(response.error);
381 }
382
383 *keyBlob = kmBlob2vector(response.upgraded_key);
384 return ScopedAStatus::ok();
385 }
386
deleteKey(const vector<uint8_t> & keyBlob)387 ScopedAStatus AndroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
388 DeleteKeyRequest request(impl_->message_version());
389 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
390
391 DeleteKeyResponse response(impl_->message_version());
392 impl_->DeleteKey(request, &response);
393
394 return kmError2ScopedAStatus(response.error);
395 }
396
deleteAllKeys()397 ScopedAStatus AndroidKeyMintDevice::deleteAllKeys() {
398 // There's nothing to be done to delete software key blobs.
399 DeleteAllKeysRequest request(impl_->message_version());
400 DeleteAllKeysResponse response(impl_->message_version());
401 impl_->DeleteAllKeys(request, &response);
402
403 return kmError2ScopedAStatus(response.error);
404 }
405
destroyAttestationIds()406 ScopedAStatus AndroidKeyMintDevice::destroyAttestationIds() {
407 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
408 }
409
begin(KeyPurpose purpose,const vector<uint8_t> & keyBlob,const vector<KeyParameter> & params,const optional<HardwareAuthToken> & authToken,BeginResult * result)410 ScopedAStatus AndroidKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
411 const vector<KeyParameter>& params,
412 const optional<HardwareAuthToken>& authToken,
413 BeginResult* result) {
414
415 BeginOperationRequest request(impl_->message_version());
416 request.purpose = legacy_enum_conversion(purpose);
417 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
418 request.additional_params.Reinitialize(KmParamSet(params));
419
420 vector<uint8_t> vector_token = authToken2AidlVec(authToken);
421 request.additional_params.push_back(
422 TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size());
423
424 BeginOperationResponse response(impl_->message_version());
425 impl_->BeginOperation(request, &response);
426
427 if (response.error != KM_ERROR_OK) {
428 return kmError2ScopedAStatus(response.error);
429 }
430
431 result->params = kmParamSet2Aidl(response.output_params);
432 result->challenge = response.op_handle;
433 result->operation =
434 ndk::SharedRefBase::make<AndroidKeyMintOperation>(impl_, response.op_handle);
435 return ScopedAStatus::ok();
436 }
437
deviceLocked(bool passwordOnly,const std::optional<secureclock::TimeStampToken> & timestampToken)438 ScopedAStatus AndroidKeyMintDevice::deviceLocked(
439 bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) {
440 DeviceLockedRequest request(impl_->message_version());
441 request.passwordOnly = passwordOnly;
442 if (timestampToken.has_value()) {
443 request.token.challenge = timestampToken->challenge;
444 request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()};
445 request.token.timestamp = timestampToken->timestamp.milliSeconds;
446 }
447 DeviceLockedResponse response = impl_->DeviceLocked(request);
448 return kmError2ScopedAStatus(response.error);
449 }
450
earlyBootEnded()451 ScopedAStatus AndroidKeyMintDevice::earlyBootEnded() {
452 EarlyBootEndedResponse response = impl_->EarlyBootEnded();
453 return kmError2ScopedAStatus(response.error);
454 }
455
456 ScopedAStatus
convertStorageKeyToEphemeral(const std::vector<uint8_t> &,std::vector<uint8_t> *)457 AndroidKeyMintDevice::convertStorageKeyToEphemeral(const std::vector<uint8_t>& /* storageKeyBlob */,
458 std::vector<uint8_t>* /* ephemeralKeyBlob */) {
459 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
460 }
461
getKeyCharacteristics(const std::vector<uint8_t> & keyBlob,const std::vector<uint8_t> & appId,const std::vector<uint8_t> & appData,std::vector<KeyCharacteristics> * keyCharacteristics)462 ScopedAStatus AndroidKeyMintDevice::getKeyCharacteristics(
463 const std::vector<uint8_t>& keyBlob, const std::vector<uint8_t>& appId,
464 const std::vector<uint8_t>& appData, std::vector<KeyCharacteristics>* keyCharacteristics) {
465 GetKeyCharacteristicsRequest request(impl_->message_version());
466 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
467 addClientAndAppData(appId, appData, &request.additional_params);
468
469 GetKeyCharacteristicsResponse response(impl_->message_version());
470 impl_->GetKeyCharacteristics(request, &response);
471
472 if (response.error != KM_ERROR_OK) {
473 return kmError2ScopedAStatus(response.error);
474 }
475
476 AuthorizationSet emptySet;
477 *keyCharacteristics =
478 convertKeyCharacteristics(securityLevel_, emptySet, response.unenforced, response.enforced,
479 /* include_keystore_enforced = */ false);
480
481 return ScopedAStatus::ok();
482 }
483
getRootOfTrustChallenge(array<uint8_t,16> *)484 ScopedAStatus AndroidKeyMintDevice::getRootOfTrustChallenge(array<uint8_t, 16>* /* challenge */) {
485 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
486 }
487
getRootOfTrust(const array<uint8_t,16> &,vector<uint8_t> *)488 ScopedAStatus AndroidKeyMintDevice::getRootOfTrust(const array<uint8_t, 16>& /* challenge */,
489 vector<uint8_t>* /* rootOfTrust */) {
490 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
491 }
492
sendRootOfTrust(const vector<uint8_t> &)493 ScopedAStatus AndroidKeyMintDevice::sendRootOfTrust(const vector<uint8_t>& /* rootOfTrust */) {
494 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
495 }
496
setAdditionalAttestationInfo(const vector<KeyParameter> & info)497 ScopedAStatus AndroidKeyMintDevice::setAdditionalAttestationInfo(const vector<KeyParameter>& info) {
498 SetAdditionalAttestationInfoRequest request(impl_->message_version());
499 request.info.Reinitialize(KmParamSet(info));
500
501 SetAdditionalAttestationInfoResponse response = impl_->SetAdditionalAttestationInfo(request);
502
503 if (response.error != KM_ERROR_OK) {
504 return kmError2ScopedAStatus(response.error);
505 } else {
506 return ScopedAStatus::ok();
507 }
508 }
509
CreateKeyMintDevice(SecurityLevel securityLevel)510 std::shared_ptr<IKeyMintDevice> CreateKeyMintDevice(SecurityLevel securityLevel) {
511 return ndk::SharedRefBase::make<AndroidKeyMintDevice>(securityLevel);
512 }
513
514 } // namespace aidl::android::hardware::security::keymint
515